As a designated HITRUST CSF Assessor, Wipfli helps health care clients and business associates with HITRUST programs. In this article series, we address some of the uncertainties encountered with cloud computing services with regard to HITRUST compliance.
The intent is to share examples of tools that can help with HITRUST compliance by mentioning as many of the most useful offerings as possible. We’ll continue down the list of HITRUST CSF assessment domains and call attention to those tools which come up most frequently and/or heavily promote specific security features.
Domain: Endpoint Protection
When it comes to centrally managed virus scanning and anti-malware tools, there are an abundance of options available from a wide variety of vendors. While endpoint protection is needed for IaaS machines, this domain primarily addresses endpoints such as laptops and desktops used in the workplace.
All endpoint protection suites strive for the same goal: To protect endpoints from malware and exploitation. Given the speed at which new schemes and technologies emerge, on any given day one vender could pass another to become the “best” protection available. Some of the current industry leaders include:
- Microsoft System Center
- Trend Micro
- Intel Security (McAfee)
For HITRUST, the single most important factor in the endpoint protection domain is that a solution is installed, operating, and updated on a regular basis. Other requirements are the availability of audit logs that show scans are occurring and that malicious code is in fact being blocked, as well as a console to show central endpoint management, and the ability to produce detailed reports.
When it comes to these primary factors, all of the vendors above deliver what’s needed. In fact, all actually go above and beyond by addressing today’s specific concerns and operating environments, that is, they all acknowledge cloud computing is where business is migrating. Even organizations that still employ on-premise environments are likely to have some cloud tools such as Office 365, Salesforce.com, or hosted email servers at their disposal.
Therefore, security is being advertised related to four key areas: endpoints, networking, Internet, and servers. Each vendor describes these areas slightly differently, but in essence they are the same four areas.
For endpoints, networking, and servers, more traditional levels of protection, including malware scanning, protection against unauthorized access, and scans for attackers in the system, are available. On the rise in today’s environments are phishing and the ransomware that often results from it. It’s no surprise then that a big advertising point on all vendors’ sites is how they’ll protect an organization from rogue URLs, attachments, and other elements that can lead to ransomware.
Since most of the big-name vendors provide similar levels and varieties of protection, how do you choose the right one for your organization? There’s cost, of course, but also consider interface (things like the management console and dashboards available), ease of use, how the solution could interface and/or interfere with other applications, and if applicable, how it performs in a cloud environment.
Domain: Portable Media Security
When it comes to portable media security, the simplest solution would be to just not allow portable devices to be used. This approach may not be practical or possible, though, particularly since there is still a need in organizations to use devices like flash drives or other portable storage media.
The good news is that if an organization is already using Microsoft products on an enterprise level, then BitLocker is included. BitLocker is Microsoft’s product for endpoint encryption and can be used to encrypt storage devices connected to an endpoint. You can further automate this protective measure by combining the feature with group policies set up in Active Directory. For example, through group policy it is possible to not allow portable storage at all, to enable read only, or to enforce encryption if someone tries to write data to a device.
Beyond Microsoft’s built-in solution, there are other enterprise solutions that work with BitLocker or alone and include not only encryption, but also centralized management and control.
One particular product is Sophos Safeguard (current version 7). The product advertises full disk encryption for all the major formats including NTFS, FAT, and FAT32. For organizations looking for a tool that goes further than BitLocker, Safeguard offers some more comprehensive features. First, it offers an option to select, manage, and authorize which users can view encrypted data, even in the event the hard drive/portable storage is removed/moved. Second, it has the ability to silently encrypt and to encrypt only specific file paths. (Anyone who’s used BitLocker knows there’s nothing silent about it.)
As mentioned, Safeguard also includes tools to centrally manage all endpoints and devices running the solution. In addition, Safeguard delivers other features important for HITRUST compliance, including remote encryption, whitelisting for access, a dashboard, and device tracking.
Domain: Mobile Device Security
This domain’s first HITRUST requirement is that mobile computing devices be protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, secure configuration, and physical protections.
This is really an all-encompassing statement about the technical management and control of all endpoints and mobile devices, and each element, from access controls through physical protections, is covered by measures taken in other HITRUST domains.
Still, good tools are available to support mobile device management (MDM), particularly in BYOD (bring your own device) environments. Because of the rise of personal smartphones and the decline of corporate-assigned devices, many organizations must now consider how best to monitor and control personal devices that are within their somewhat limited scope of control. The following tools aren’t intrusive yet still protect the organization and can also be considered for use with corporately owned devices as well.
- Airwatch is one of the most robust MDM tools available on the market. It offers management tools for overall MDM, BYOD, mobile security, mobile applications, email, browsing, laptops, and identity, to name a few. With the MDM console, an organization can also track and monitor all enrolled devices. An enrolled device can be completely wiped in the event it is stolen or can be just enterprise wiped (removing organization data only) in the event an employee quits or is terminated. Airwatch also supports all the major players including Windows, Android, Apple, Blackberry, and Symbian (a platform that’s going extinct).
- Amtel (Netplus Mobility) is another offering that can work in both BYOD and corporate-owned device settings. This tool includes many of the same features found in Airwatch. One of the differences, however, is in smartphone platforms; this tool supports only Apple and Android. But if smartphones aren’t high on the list of concerns, then both venders offer similar tools for laptops, email, and application management.
Next in the series: The CSF assessment domain of audit logging and monitoring.